A03:2021 — Injection

Injection vulnerabilities happen when untrusted input is interpreted as part of a command or query by an interpreter (SQL, NoSQL, OS shell, LDAP, XPath, etc.). Attackers craft input that changes the intended logic, allowing data disclosure, destruction, authentication bypass, remote code execution, or full system compromise.

Common injection types

• SQL Injection (SQLi) — manipulate SQL queries (' OR '1'='1).

• NoSQL Injection — e.g., MongoDB queries built from user input.

• Command Injection / OS Injection — attacker injects shell commands (; rm -rf /).

• LDAP / XPath Injection — break directory or XML queries.

• Template/Server-Side Template Injection (SSTI) — inject template expressions that execute code.

• ORM Injection — misuse of ORM APIs that accept raw expressions.

Impact

• Data leakage (read arbitrary data).

• Data modification or deletion.

• Authentication bypass.

• Remote command execution and server takeover.

• Lateral movement inside networks.

Core mitigations (applied in order of priority)

1. Use parameterized queries / prepared statements

   • Never build SQL with string concatenation.

2. Use safe APIs (ORM parameter binding, query builders)

   • Use library binding features instead of raw SQL.

3. Use allowlists (whitelisting) for input that controls logic

   • For sort fields, column names, command options — map user input to safe internal values.

4. Avoid interpreters where possible

   • Don’t call the shell; use native APIs.

5. Escape only when parameterization is impossible

   • Escaping is error-prone; treat as last resort.

6. Least privilege for DB and OS

   • DB accounts should have only required permissions.

7. Disable dangerous features

   • E.g., disable eval, JS execution in template engines, stored procedures that execute OS commands.

8. Output encoding for user data used in different contexts

   • HTML encode for HTML, URL-encode for URLs, etc.

9. Input validation for expected formats

   • Use strict checks (regex, types); prefer allowlists.

10. Logging & monitoring

    • Detect anomalies, repeated failed queries, suspicious input patterns.

11. Automated testing & security scanners

    • Run sqlmap, Burp Suite, OWASP ZAP; include injection tests in CI.